Hi all,
Here is some information from the dCache SRM developer regarding
the new SRM tomcat service.
----------
> Question 1:
>
> Does tomcat need to listen
> on 8005, 8009, 8080 (=webcache) and 5001? Which of these ports should be
> firewalled to prevent external (or internal) access?
Port 8005 is used locally by shutdown script so it is best not to let
anyone to connect to it.
8080 is http access to tomcat, and since srm web service is using gsi
authentication and verification of the user's credential, before
execution any of the requests, it is not a security risk to have it
open, if you trust tomcat to be secure ( it might allow attackers to
exploit some other known tomcat/axis vulnerabilities).
What ports 5001 is used by SOAPMonitor service.
Port 8009 is used for AJPv13 (Apache JServ Protocol which has something
to do with communication between the web server and the servlet container).
In the future versions I will modify installation scripts so that
services on port 8009, 5001 and 8080 would be disabled. In case of
shutdown, the service will protected by dynamically generated password
(see http://marc.theaimsgroup.com/?l=tomcat-user&m=103133645416097&w=2).
> Question 2:
>
> Also, the tomcat process is running as root. Is there any way to run it
> under a user account?
Yes, root access is needed, since for some operations srm has to get
certain attributes directly from pnfs.
Thanks,
Timur
-----------
So if you install 1.7.0-16 then you should make sure the above ports can't
be accessed.
It's still not clear to me wny things have to run as root in dCache. Maybe
Owen can comment further.
Cheers,
Greig
|